diff options
| author | Pierlauro Sciarelli <pierlauro.sciarelli@mongodb.com> | 2023-04-20 09:29:20 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-20 10:53:40 +0000 |
| commit | 44b65708ef058734d9847d41d499efba888e298e (patch) | |
| tree | d33ce615d264d0e538993bf1acc54c551121837f | |
| parent | c7b8de3848fa6703599085541f9c7af6cf959288 (diff) | |
| download | mongo-44b65708ef058734d9847d41d499efba888e298e.tar.gz | |
SERVER-76178 Fix moveRange authorization requirements
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 30 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_move_range_cmd.cpp | 2 |
2 files changed, 31 insertions, 1 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 81a78a3f9b6..aa52bc003a1 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -5041,6 +5041,36 @@ var authCommandsLib = { ] }, { + testname: "s_moveRange", + command: {moveRange: "test.x", min: {x:1}, toShard:"a"}, + skipUnlessSharded: true, + testcases: [ + { + runOnDb: adminDbName, + roles: roles_clusterManager, + privileges: [{resource: {db: "test", collection: "x"}, actions: ["moveChunk"]}], + expectFail: true + }, + {runOnDb: firstDbName, roles: {}}, + {runOnDb: secondDbName, roles: {}} + ] + }, + { + testname: "d_moveRange", + command: {_shardsvrMoveRange: "test.x", fromShard: "a", toShard: "b", min: {}, max: {}, maxChunkSizeBytes: 1024}, + skipSharded: true, + testcases: [ + { + runOnDb: adminDbName, + roles: {__system: 1}, + privileges: [{resource: {cluster: true}, actions: ["internal"]}], + expectFail: true + }, + {runOnDb: firstDbName, roles: {}}, + {runOnDb: secondDbName, roles: {}} + ] + }, + { testname: "movePrimary", command: {movePrimary: "x"}, skipUnlessSharded: true, diff --git a/src/mongo/s/commands/cluster_move_range_cmd.cpp b/src/mongo/s/commands/cluster_move_range_cmd.cpp index c06ca4a5c47..fd2f77ea9f5 100644 --- a/src/mongo/s/commands/cluster_move_range_cmd.cpp +++ b/src/mongo/s/commands/cluster_move_range_cmd.cpp @@ -100,7 +100,7 @@ public: uassert(ErrorCodes::Unauthorized, "Unauthorized", AuthorizationSession::get(opCtx->getClient()) - ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ->isAuthorizedForActionsOnResource(ResourcePattern::forExactNamespace(ns()), ActionType::moveChunk)); } }; |